shnlog i security2k.net ; log

[gal001]

problem chyba ogolnie znany, ale zadna z solucji jakie znalazlem nie dala rady
w moim wypadku. moze ktos looknac na loga? :
"Silent Runners.vbs", revision 40.1, www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-
express.com"]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized"
["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LaunchApp" = "Alaunch" ["Acer Inc."]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics,
Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
["Synaptics, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]
"SiS Windows KeyHook" = "C:\WINDOWS\system32\keyhook.exe" ["Silicon
Integrated Systems Corporation"]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1
\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC"
[null data]
"PHIME2002ASync" = "C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"PCMService" = ""C:\Program Files\Arcade\PCMService.exe"" ["CyberLink
Corp."]
"LManager" = "C:\Program Files\Launch Manager\QtZgAcer.EXE" ["Dritek
System Inc."]
"eRecoveryService" = "C:\Windows\System32\Check.exe" ["acer Inc."]
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime"
["Apple Computer, Inc."]
"wcmdmgr" = "C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch" ["WildTangent,
Inc."]
"RegSvr32" = "C:\WINDOWS\system32\msmsgs.exe" [file not found]
"MKS_MENU" = "C:\Program Files\MKS\Bin\mks_menu.exe" ["MKS Sp. z
o.o."]
"ABREGMON" = "C:\Program Files\MKS\Bin\ABregmon.exe" ["ArcaBit"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
["Zone Labs, LLC"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\
{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hp48A.tmp"
[file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll"
["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {CLSID}\InProcServer32\(Default) = "C:\Program
Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
[null data]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play
Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll"
[MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
\ashShell.dll" ["ALWIL Software"]
MkS_Vir\(Default) = "{CC4245C0-D511-11D0-8918-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program
Files\MKS\Bin\MkSShell.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
[null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
[null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
\ashShell.dll" ["ALWIL Software"]
MkS_Vir\(Default) = "{CC4245C0-D511-11D0-8918-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program
Files\MKS\Bin\MkSShell.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
[null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\ACER.SCR" [null data]


Startup items in "Master login" & "All Users" startup folders:
--------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Utility Tray" -> shortcut to: "C:\WINDOWS\system32\sistray.exe" ["Silicon
Integrated Systems Corporation"]


Enabled Scheduled Tasks:
------------------------

"MkSUpdate" -> launches: "C:\Program Files\MKS\bin\mks_upd.exe Task"
["MkS Sp. z o. o."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2
\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2
\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ##
range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll"
[MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ArcaBit NetMonitor, ABNetMon, "C:\Program Files\MKS\Bin\NetMonSV.exe"
["ArcaBit sp. z o.o."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4
\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avas

[Gość: Kolobos]

Wklej log z hijackthis jak mozesz.

[Gość: gal001]

z tego co przeczytalem to hijack w tym wypadku nie wykrywa wszystkiego(?):
Logfile of HijackThis v1.99.1
Scan saved at 11:43:07, on 2005-09-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MKS\Bin\NetMonSV.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MKS\Bin\mks_menu.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Master login\My Documents\Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = wp.pl/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -
C:\WINDOWS\system32\hp48A.tmp (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1
\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 - HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program
Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL
Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) -
file://E:\GAMES\msjavx86_3805.exe
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) -
file://E:\games\WebDriverFullInstall.exe
O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - C:\Program
Files\MKS\Bin\NetMonSV.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. -
C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - C:\Program
Files\MKS\bin\MkSUpdateInt.exe
O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - C:\Program
Files\MKS\Bin\mksmonsv.exe
O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\MKS\Bin\mks_scan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZONELABS\vsmon.exe

[Gość: Kolobos]

W Twoim logu nie ma nic ciekawego wiec log z silent nie jest potrzebny.
Odinstaluj MKS, jeden antyvirus wystarczy!

Przeskanuj tym:
download.microsoft.com/download/8/1/5/815d2d60-49b5-44dc-ae35-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe
download.ewido.net/ewido-setup.exe <- zrob update przed skanowaniem, po
przeskanowaniu odinstaluj.
Zamknij porty tym:
www.firewallleaktester.com/tools/wwdc.exe

W hijackthis usun:

O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -
C:\WINDOWS\system32\hp48A.tmp (file missing)
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch <-
wylacz w msconfig
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe <- usun plik
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL
Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) -
file://E:\GAMES\msjavx86_3805.exe
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) -
file://E:\games\WebDriverFullInstall.exe

[Gość: gal001]

hm, co ciekawe albo wczesniej udalo mi sie usnac, albo
mks po aktualizacji wywalil w koncu skutecznie shnlog.
dzieki za pomoc